# vim: set filetype=sh ts=4 sw=4 sts=4 et:
# shellcheck shell=bash
# shellcheck disable=SC2317,SC2086,SC2016,SC2046
# below: convoluted way that forces shellcheck to source our caller
# shellcheck source=tests/functional/launch_tests_on_instance.sh
. "$(dirname "${BASH_SOURCE[0]}")"/dummy

testsuite_scripts()
{

    # try to backup without having a GPG key setup first

    success backup_config $r0 "\"echo DESTDIR='/root/backups' >> $opt_remote_etc_bastion/osh-backup-acl-keys.conf\""

    success backup_run_nokey $r0 /opt/bastion/bin/cron/osh-backup-acl-keys.sh
    contain "Creating /root/backups/backup-"
    contain "File created"
    contain "will not be encrypted"
    nocontain "Encrypting"
    contain "Done"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # generate & import keys

    success setup_keys_generate $r0 /opt/bastion/bin/admin/setup-gpg.sh --generate
    contain "autogenerated with"

    script setup_keys_import_double $r0 "\"echo '$admins_gpg_key_double_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
    retvalshouldbe 0
    contain "Paste the admins"
    contain "50-gpg-admins-key.conf updated:"
    contain "50-gpg.conf updated:"
    contain "Parsed and added 2 keys"
    contain REGEX "GPGKEYS='($admins_gpg_key_double1_id $admins_gpg_key_double2_id|$admins_gpg_key_double2_id $admins_gpg_key_double1_id)'"
    contain REGEX "(\"$admins_gpg_key_double1_id\", \"$admins_gpg_key_double2_id\"|\"$admins_gpg_key_double2_id\", \"$admins_gpg_key_double1_id\")"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    success setup_keys_clear $r0 "\"rm -f $opt_remote_etc_bastion/osh-encrypt-rsync.conf.d/50-gpg-admins-key.conf $opt_remote_etc_bastion/osh-backup-acl-keys.conf.d/50-gpg.conf\""

    script setup_keys_import $r0 "\"echo '$admins_gpg_key2_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import\""
    retvalshouldbe 0
    contain "Paste the admins"
    contain "Parsed and added 1 keys"
    contain "GPGKEYS='$admins_gpg_key2_id'"
    contain '[ "'"$admins_gpg_key2_id"'" ]'
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    script setup_keys_import_overwrite $r0 "\"echo '$admins_gpg_key_pub' | /opt/bastion/bin/admin/setup-gpg.sh --import --overwrite\""
    retvalshouldbe 0
    contain "Paste the admins"
    contain "50-gpg-admins-key.conf already exists, but overwriting"
    contain "50-gpg.conf already exists, but overwriting"
    contain "50-gpg-admins-key.conf updated:"
    contain "50-gpg.conf updated:"
    contain "Parsed and added 1 keys"
    contain "GPGKEYS='$admins_gpg_key_id'"
    contain '[ "'"$admins_gpg_key_id"'" ]'
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # backup again

    success backup_run_key $r0 /opt/bastion/bin/cron/osh-backup-acl-keys.sh
    contain "Creating /root/backups/backup-"
    contain "File created"
    nocontain "will not be encrypted"
    contain "Encrypting"
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # lingering sessions reaper

    success lingering_sessions_reaper $r0 /opt/bastion/bin/cron/osh-lingering-sessions-reaper.sh
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # orphaned homedirs

    success orphaned_homedirs $r0 /opt/bastion/bin/cron/osh-orphaned-homedir.sh
    contain "master instance"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # piv grace reaper is handled in 400-piv.sh

    # ttyrec rotate

    success rotate_ttyrec $r0 /opt/bastion/bin/cron/osh-rotate-ttyrec.sh
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # cleanup guest key access

    success cleanup_guest_key_access $r0 /opt/bastion/bin/cron/osh-cleanup-guest-key-access.pl
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # encrypt rsync (nothing to encrypt)

    success encrypt_rsync_none $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl
    contain 'Config test passed'
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # ttyrec subfolders cleanup
    success ttyrec_cleanup $r0 /opt/bastion/bin/cron/osh-remove-empty-folders.sh
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # create and account and connect one to have a ttyrec file

    success a0_create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\""
    json .error_code OK .command accountCreate .value null

    success a0_allow_a1 $a0 --osh accountAddPersonalAccess --account $account1 --host 127.0.0.1 --user none --port 22
    json .error_code OK .command accountAddPersonalAccess

    run a1_connect $a1 none@127.0.0.1
    contain 'Connecting...'

    # encrypt rsync (one file to encrypt)

    success encrypt_rsync_one $r0 /opt/bastion/bin/cron/osh-encrypt-rsync.pl --force-encrypt --encrypt-only
    contain 'Config test passed'
    contain "Creating"
    contain "Encrypting"
    contain ".gpg"
    contain "Done, got 0 error(s) and 0 warning(s)"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"
    # get one of the encrypted files name's, for the next test
    local gpgfile
    gpgfile=$(get_stdout | awk '/^Encrypting .+ to / {print $4;exit}' | tr -d '\r')

    # import the private key that we'll need on the next test
    local keyb64
    keyb64=$(echo "$admins_gpg_key_priv" | base64 -w0)
    # shellcheck disable=SC1078
    script import_gpg_secret_key "$r0 '
        set -x;
        t=\$(mktemp);
        echo \"$keyb64\" | base64 -d > \$t;
        gpg --import --pinentry-mode loopback --passphrase-fd 0 --batch \$t <<< \"$admins_gpg_key_password\";
        rm -f \$t;
    '"
    retvalshouldbe 0
    contain 'secret keys imported: 1'

    # check that encrypted file is also signed, we need the private key of the recipient because
    # the signature is embedded in the encrypted payload
    script encrypt_rsync_one_check "$r0 gpg --list-packets --pinentry-mode loopback --passphrase-fd 0 --batch $gpgfile <<< $admins_gpg_key_password"
    retvalshouldbe 0
    contain ':encrypted'
    contain ':signature'

    # rename account
    script account_rename $r0 /opt/bastion/bin/admin/rename-account.sh $account1 $account2 '</dev/null'
    retvalshouldbe 0
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # rename account a second time
    script account_rename2 $r0 /opt/bastion/bin/admin/rename-account.sh $account2 $account3 '</dev/null'
    retvalshouldbe 0
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # cleanup account
    success a0_delete_a3 $a0 --osh accountDelete --account $account3 --no-confirm

    # create a group to try to rename it
    success a0_create_g1 $a0 --osh groupCreate --owner $account0 --algo ed25519 --size 256 --group $group1

    # rename the group
    script group_rename $r0 /opt/bastion/bin/admin/rename-group.sh $group1 $group2 '</dev/null'
    retvalshouldbe 0
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # rename the group, again
    script group_rename2 $r0 /opt/bastion/bin/admin/rename-group.sh $group2 $group3 '</dev/null'
    retvalshouldbe 0
    contain "Done"
    nocontain "WARN:"
    nocontain "ERROR:"
    nocontain "Unexpected termination"

    # cleanup group
    success a0_delete_g3 $a0 --osh groupDelete --group $group3 --no-confirm
}

testsuite_scripts
unset -f testsuite_scripts
